Interior renews support for obsolete tech
Microsoft declared Windows Server 2003 dead in July, but the Interior Department's Bureau of Reclamation is buying custom support for 100 licenses.
The Interior Department is hanging onto Microsoft Windows Server 2003, even though the software is now officially obsolete.
The agency's Bureau of Reclamation announced a one-year limited-source award to Microsoft reseller New Tech to support 100 licenses of Windows Server 2003. Interior made the award on a limited-source basis because of "urgent and compelling need," according to contracting documents posted on FedBizOpps on Aug. 21.
"Due to recent cyberattacks on federal government IT systems, [the Office of Management and Budget and the Department of Homeland Security] have issued mandates for additional cybersecurity for all federal government IT systems, and assuming the risk of keeping these systems online without current patches is not a prudent or judicious option," the contracting documents state.
The value of the contract was not made public.
Microsoft officially stopped supporting Server 2003 on July 14. That means the company will no longer issue patches, updates or bug reports to users. Microsoft does offer custom agreements for out-of-support software, but they are expensive.
"Microsoft encourages customers that currently run Windows Server 2003 and have not yet begun migration planning to do so immediately," a company spokesperson told FCW.
DHS's U.S. Computer Emergency Readiness Team posted an alert in November 2014 about the end of Windows Server 2003's life cycle. "Computer systems running unsupported software are exposed to an elevated risk to cybersecurity dangers, such as malicious attacks or electronic data loss," US-CERT warned.
Interior's award comes on the heels of the hack of Office of Personnel Management data, which included exfiltration of personally identifiable information from a data center hosted by Interior. The agency's inspector general also recently issued a report that identified security weaknesses in public-facing websites, including those maintained by the Bureau of Reclamation.
"The U.S. Department of the Interior is taking the necessary steps to decommission all Microsoft Windows Server 2003 operating systems," an Interior Department spokesperson told FCW in an emailed comment. "The department continues to take all necessary actions to secure our data and applications."
Interior is by no means alone in relying on out-of-support tech. The Navy recently signed a $9.1 million contract with Microsoft to support legacy Windows systems, including Server 2003. The Treasury Department's Alcohol and Tobacco Tax and Trade Bureau recently announced a plan to sole-source Server 2003 support to Microsoft. Worldwide, 175 million websites are served from Server 2003-supported computers, according to a survey by Netcraft, an Internet services company based in England.
The risk of sticking with out-of-support systems depends on the sensitivity of work they support. "The risk on workstations is bad but not awful," Scott Montgomery, vice president and chief technology strategist at Intel Security, told FCW. "Depending on what kind of data is on these old servers, the risk could be awful."
Despite the long lead time Microsoft has given users to plan for Windows Server 2003's obsolescence, organizations often don't move until it's too late. And migrating to newer systems or the cloud can be tricky for agencies. Legacy applications that run fine on Windows Server 2003 might have problems on a new operating system or in the cloud. Updates for legacy software might be harder to come by or more expensive than support for obsolete operating systems.
"For these large federal organizations," Montgomery said, "it's really painful to migrate. It sucks."